From 4ef6a9a3b0ddbce78a5b8a74083c7731641a8fa7 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Mon, 15 Jun 2026 17:49:23 -0700 Subject: [PATCH] sync: auto-sync from GURU-5070 at 2026-06-15 17:49:06 Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-15 17:49:06 --- .claude/memory/MEMORY.md | 1 + ...edback_rmm_system_context_mapped_drives.md | 28 +++++++++++++++++++ .claude/scripts/uos-mongo.sh | 27 +++++++++++++++++- errorlog.md | 2 ++ wiki/systems/uos-server.md | 10 ++++++- 5 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 .claude/memory/feedback_rmm_system_context_mapped_drives.md diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index f2fa199..763ff99 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -146,3 +146,4 @@ - [Physical access codes -> vault + wiki pointer](feedback_physical_access_codes.md) — alarm/lockbox/door codes go in vault clients//physical-access-.sops.yaml (kind: physical-access) + a `## Physical Access` pointer section in the client wiki; never plaintext. First entry: Peaceful Spirit NW. - [CT Thoughts backlog](feedback_ct_thoughts_backlog.md) — ClaudeTools harness ideas go in docs/CT_THOUGHTS.md (trigger "ct thought:"); CT analogue of RMM_THOUGHTS. Don't build until explicit go. First entry = ClaudeTools 3.0 web co-work vision. - [AI-auth product boundary](project_ai_auth_product_boundary.md) — ClaudeTools/ClaudeTools 3.0 = internal-only, per-person subscription OAuth ok; GuruRMM = sellable, customer brings own API key (never ACG's subscription); backend dev = internal. Anthropic ToS bans subscription auth in third-party products. +- [RMM SYSTEM context can't see user mapped drives](feedback_rmm_system_context_mapped_drives.md) — RMM runs as SYSTEM; `Test-Path F:\` etc. is False even when the user's mapped/redirected drive exists. Diagnose mapped-drive/redirect issues in `context:user_session`. Elevated apps (e.g. QB DB Server Manager "unable to retrieve root folder") need `EnableLinkedConnections=1` + reboot. diff --git a/.claude/memory/feedback_rmm_system_context_mapped_drives.md b/.claude/memory/feedback_rmm_system_context_mapped_drives.md new file mode 100644 index 0000000..605508e --- /dev/null +++ b/.claude/memory/feedback_rmm_system_context_mapped_drives.md @@ -0,0 +1,28 @@ +--- +name: feedback-rmm-system-context-mapped-drives +description: RMM commands run as SYSTEM and cannot see a user's mapped network drives / network-redirected folders — diagnose those in user_session; elevated apps need EnableLinkedConnections. +metadata: + type: feedback +--- + +GuruRMM agent commands execute as **SYSTEM**, which has **no access to a logged-on user's +mapped network drives or network-redirected shell folders**. A `Test-Path F:\` (or a +redirected Desktop on a UNC) will return **False under SYSTEM even when it exists fine in the +user's session** — do not conclude the drive/folder is "missing/dead" from a SYSTEM check. + +**Why:** Mike corrected exactly this on LS-1 (Lonestar) 2026-06-15 — I called `F:\FolderRedirection\Robin\Desktop` +a dead drive; it's actually `F: -> \\tower\Data` (folder redirection to the Unraid "Tower" +server), present with 102 items in Robin's session. + +**How to apply:** +- For any mapped-drive / network-redirected-folder / per-user-path question, dispatch the RMM + command with `"context": "user_session"` (runs under the active user's token) and verify with + `whoami`, `net use`, `Get-PSDrive`. +- Separately: an **elevated** app (UAC) gets a different token that also lacks the user's mapped + drives. Symptom seen: QuickBooks Database Server Manager ("Add" folder) throws + `FolderBrowserDialog ... Unable to retrieve the root folder` because its root (the Desktop) is + on an unmapped `F:` in the elevated token. Fix: set + `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = 1` + (DWORD) and reboot — shares the mapped drives across the user's elevated + normal tokens. + +Related: [[feedback_tmp_path_windows]] diff --git a/.claude/scripts/uos-mongo.sh b/.claude/scripts/uos-mongo.sh index 73cd2c5..7124019 100644 --- a/.claude/scripts/uos-mongo.sh +++ b/.claude/scripts/uos-mongo.sh @@ -33,7 +33,32 @@ set -euo pipefail UOS_HOST="${UOS_HOST:-172.16.3.29}" UOS_SSH_USER="${UOS_SSH_USER:-root}" -SSH=(ssh -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new "${UOS_SSH_USER}@${UOS_HOST}") + +# Resolve the SSH key. Prefer $UOS_SSH_KEY; otherwise extract the vaulted dedicated +# UOS key (infrastructure/uos-server-ssh-key, stored base64 in ssh-private-key-b64 +# because vault-helper can't store multiline) to a temp file so this works on ANY +# fleet machine, not just one whose personal key happens to be authorized on .29. +_uos_key="" +if [ -n "${UOS_SSH_KEY:-}" ]; then + _uos_key="$UOS_SSH_KEY" +else + _repo="$(git rev-parse --show-toplevel 2>/dev/null || echo .)" + _vault="$_repo/.claude/scripts/vault.sh" + if [ -f "$_vault" ]; then + _uos_key="$(mktemp "${TMPDIR:-/tmp}/uos-key.XXXXXX")" + bash "$_vault" get-field infrastructure/uos-server-ssh-key credentials.ssh-private-key-b64 2>/dev/null \ + | tr -d '\r\n ' | base64 -d > "$_uos_key" 2>/dev/null + chmod 600 "$_uos_key" 2>/dev/null || true + trap '[ -z "${UOS_SSH_KEY:-}" ] && [ -n "$_uos_key" ] && rm -f "$_uos_key"' EXIT + [ -s "$_uos_key" ] || { rm -f "$_uos_key"; _uos_key=""; } # fall back to default key + fi +fi + +if [ -n "$_uos_key" ]; then + SSH=(ssh -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new -o IdentitiesOnly=yes -i "$_uos_key" "${UOS_SSH_USER}@${UOS_HOST}") +else + SSH=(ssh -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new "${UOS_SSH_USER}@${UOS_HOST}") +fi REMOTE='su - uosserver -c "XDG_RUNTIME_DIR=/run/user/1000 podman exec -i uosserver mongo --quiet --port 27117 ace"' run_js() { "${SSH[@]}" "$REMOTE"; } # reads Mongo JS from this function's stdin diff --git a/errorlog.md b/errorlog.md index a7dae94..613880e 100644 --- a/errorlog.md +++ b/errorlog.md @@ -17,6 +17,8 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure · +2026-06-15 | GURU-5070 | rmm/quickbooks-folderbrowser | [correction] assumed F:FolderRedirection was a dead/missing drive (Test-Path F: = False under SYSTEM); correct: F: is a per-user NETWORK-mapped redirected folder, invisible to the SYSTEM context RMM runs in - must diagnose mapped-drive/redirect issues in user_session + 2026-06-15 | GURU-5070 | rmm | ProfWiz Pro silent-install command returned 'Execution error: Failed to execute command' (status failed, no stdout) on SP-SharonW11 [ctx: agent=86de13d7 host=SP-SharonW11 task=upw-install] 2026-06-15 | GURU-5070 | remediation-tool (Starr Pass licensing) | [correction] reported Brian Shinn's account as DELETED (tied it to the recycle-bin bshinn@ from 6/10 onboarding); actually Mike UNLICENSED Brian in M365 - account not deleted. Don't conflate a soft-deleted recycle-bin entry with the user's recent action; check the ACTIVE account's assignedLicenses for an unlicense diff --git a/wiki/systems/uos-server.md b/wiki/systems/uos-server.md index 81601e0..6f55255 100644 --- a/wiki/systems/uos-server.md +++ b/wiki/systems/uos-server.md @@ -33,7 +33,15 @@ So the UniFi-OS web/API HTTPS port is **`11443`**, not the classic `8443`. On `1 ## Access (the single-shot path) -**SSH:** our standard key is already authorized as **root** on the guest. Direct, or jump via Jupiter: +**SSH:** a **dedicated fleet key** is authorized as **root** on the guest — vault +`infrastructure/uos-server-ssh-key` (the private key is base64 in field +`ssh-private-key-b64`; vault-helper can't store multiline). Any fleet machine can use it: +```bash +bash .claude/scripts/vault.sh get-field infrastructure/uos-server-ssh-key credentials.ssh-private-key-b64 \ + | base64 -d > /tmp/uos && chmod 600 /tmp/uos && ssh -i /tmp/uos root@172.16.3.29 'id' +``` +`.claude/scripts/uos-mongo.sh` resolves this key automatically (no setup). GURU-5070's +personal key is also authorized (legacy). Direct, or jump via Jupiter: ```bash ssh root@172.16.3.29 'id' # direct (office LAN or Tailscale subnet route) ssh -J root@172.16.3.20 root@172.16.3.29 # via Jupiter